mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1579285 - Add pref to override minimum TLS version r=keeler 

The intent of adding this pref is to allow us to change defaults for
security.tls.version.min for a progressive rollout of a TLS 1.0 and 1.1
deprecation.  During that process, we'd like to offer the option to enable these
old TLS versions, without adding a pref override that would cause those versions
to remain enabled once we finish the rollout.

Those people who have triggered the override will be able to access TLS 1.0 and
1.1 sites until we eventually remove the code that respects this pref.  What is
likely to happen is that this pref will remain in code past the end of our
rollout for part of a release cycle, plus maybe the next cycle depending on
how timing works out.

This pref is a simple boolean that we'll remove in March 2020.

Differential Revision: https://phabricator.services.mozilla.com/D45798

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Martin Thomson 2019-09-16 19:36:08 +00:00
Родитель 1f46c9a2b1
Коммит bcf590a1d0
2 изменённых файлов: 11 добавлений и 1 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
modules/libpref/init/all.js
Просмотреть файл

@ -25,6 +25,7 @@
pref("security.tls.version.min", 3); pref("security.tls.version.min", 3);
#endif #endif
pref("security.tls.version.max", 4); pref("security.tls.version.max", 4);
pref("security.tls.version.enable-deprecated", false);
pref("security.tls.version.fallback-limit", 4); pref("security.tls.version.fallback-limit", 4);
pref("security.tls.insecure_fallback_hosts", ""); pref("security.tls.insecure_fallback_hosts", "");
// Turn off post-handshake authentication for TLS 1.3 by default, // Turn off post-handshake authentication for TLS 1.3 by default,

11
security/manager/ssl/nsNSSComponent.cpp
Просмотреть файл

@ -1259,6 +1259,14 @@ nsresult nsNSSComponent::setEnabledTLSVersions() {
uint32_t maxFromPrefs = Preferences::GetUint("security.tls.version.max", uint32_t maxFromPrefs = Preferences::GetUint("security.tls.version.max",
PSM_DEFAULT_MAX_TLS_VERSION); PSM_DEFAULT_MAX_TLS_VERSION);
// This override should be removed when PSM_DEFAULT_MIN_TLS_VERSION is increased
// to 3 in March 2020, see bug 1579285.
bool enableDeprecated = Preferences::GetBool("security.tls.version.enable-deprecated",
false);
if (enableDeprecated) {
minFromPrefs = std::min(minFromPrefs, PSM_DEFAULT_MIN_TLS_VERSION);
}
SSLVersionRange defaults = { SSLVersionRange defaults = {
SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION, SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION,
SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION}; SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION};
@ -1910,7 +1918,8 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
NS_ConvertUTF16toUTF8 prefName(someData); NS_ConvertUTF16toUTF8 prefName(someData);
if (prefName.EqualsLiteral("security.tls.version.min") || if (prefName.EqualsLiteral("security.tls.version.min") ||
prefName.EqualsLiteral("security.tls.version.max")) { prefName.EqualsLiteral("security.tls.version.max") ||
prefName.EqualsLiteral("security.tls.version.enable-deprecated")) {
(void)setEnabledTLSVersions(); (void)setEnabledTLSVersions();
} else if (prefName.EqualsLiteral("security.tls.hello_downgrade_check")) { } else if (prefName.EqualsLiteral("security.tls.hello_downgrade_check")) {
bool enableDowngradeCheck = Preferences::GetBool( bool enableDowngradeCheck = Preferences::GetBool(